saml meets oauth in the cloud: a marriage made in heaven
TRANSCRIPT
Session ID:
Session Classification:
Riaz ZolfonoonRSA, The Security Division of EMC
ARCH‐R08
Intermediate
SAML Meets OAuth in the Cloud: A Marriage Made in Heaven
#RSAC
Agenda
► Introduction
►SAML Overview
►OAuth Overview
► Integration Use Cases
#RSAC
Introduction
#RSAC
SAML Overview
►SAML= Security Assertion Markup Language►Enables Single Sign-on across domains, using open
standards► an alternative to proprietary SSO and Cross-Domain SSO
solutions
►The Actors:► IDP► SP► Assertion Bearer
#RSAC
SAML Sample Scenario
►Definition: Employees need access to “Storage-in-the-Cloud”. But additional auth (i.e. another logon) are not acceptable. Need SSO with enterprise!
(SP)
(IDP)1
2
3SAML
4SAML
#RSAC
OAuth 2.0 Overview
►OAuth = Open Authorization►An open standard that allows users to share their private
resources on one site (RS) with another site (Client) without having to hand out their credentials.
►Standards► IETF RFC 5849 - OAuth 1.0 Protocol► IETF RFC 6749 - OAuth 2.0 Authorization Framework
#RSAC
OAuth 2.0 Overview
►Actors► Resource Owner: end user► Resource Server (RS): hosting protected resource► Client: accessing resource on behalf of end user► Authorization Server (AS): issuing access token after successful
auth
#RSAC
OAuth Sample Scenario
►Definition: Users access a “Corporate Benefits” portal which aggregates and presents health plan, 401K, and other corporate benefits from different sites
(Client)
4 AG
(AS)
(RS)
6AT
73
2
AT
51
#RSAC
OAuth & Enterprise Challenges
Typical OAuth Use Cases
Typical Enterprise Use Case
User‐centric IT‐centric
Simple authentication(focused on authorization)
Richer authentication
Low touch integration High touch integration (e.g. with existing IAM)
#RSAC
Integration Use CasesBusiness Perspective
• Emerging Cloud‐based services support OAuth to secure APIs & provide access to resources
• OAuth does not prescribe the authentication details
• Creates an opportunity for the enterprises to take advantage of existing authentication and federation protocols for issuing OAuth Access Token
#RSAC
• Third party providers (BYOI) are becoming increasingly more popular.
• For a number of reasons enterprises are (gradually) considering the use of 3rd party credentials when users are authenticating to their services.
• The 3rd party providers, Social and Professional networks, are typically OAuth enabled.
Integration Use CasesBusiness Perspective
#RSAC
Integration Use CasesTechnical Mapping
Assertion Authz Grant
Assertion Access Token
3rd Party Authentication (BYOI)
AuthzSvc
AuthzSvc
IDP
#RSAC
Integration Use CaseRequesting Authorization Grant using SAML Assertion
6AT AT
(Client)
2
(RS)
(AS)
3
(IDP)
9 AT
1
AT
8
4
7 AG
SAMLAssertion
10
5SAML
SAML
#RSAC
Integration Use CaseRequesting Access Token using SAML Assertion
(AS)
(RS)
(IDP)
(Client)
1
2
3
7
5
AT
8
AT
SAML
SAML4
#RSAC
Integration Use Case3rd Party Authentication
(SP)
(IDP)
1
(3rd party Auth)
2
78
6
(AS)
4
3
5
SAML9
SAML
#RSAC
Conclusion
►SAML and OAuth are complementary
►Enterprise investment in SAML is preserved
► Integrated use cases facilitate access to Could-based services► access to protected resources► external Identity Providers (BYOI)
#RSAC
References
►SAML Specificationshttp://saml.xml.org/saml-specifications
►The OAuth 2.0 Authorization Frameworkhttp://tools.ietf.org/html/rfc6749
►The OAuth 2.0 Authorization Framework: Bearer Token Usagehttp://tools.ietf.org/html/rfc6750
►SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grantshttp://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-17